Moar Shellz!

Any experienced pentester can name at least five or six different tools used to attain shell access on a remote system. I can think of eight off the top of my head:

Metasploit psexec

Metasploit psexec_psh

Windows psexec executable

Impacket psexec python script

pth-winexe

pth-wmis

smbexec

Veil-Catapult

All of these tools work and have their strengths and weaknesses. I’m going to share one more method that I recently discovered, using the Metasploit “psexec_command” module, created by Royce Davis (@r3dy__), from Accuvant LABS.

First, we need to create an AV-safe executable to deploy to our target. If you haven’t checked it out yet, Veil-Evasion is one the easiest ways to create AV-safe executables. After we have an executable, we simply create an SMB share for our targets to access.

It does leave a randomly named txt file in the “Windows\temp” directory that you need to cleanup manually, but that’s it! You can also point RHOSTS to a text file of multiple remote hosts to target.

MOAR SHELLZ!

This entry was posted on May 12, 2014, 9:22 am and is filed under Remote Exploitation, Security. You can follow any responses to this entry through RSS 2.0.
Both comments and pings are currently closed.